5|2011 KAS INTERNATIONAL REPORTS 87

THE POLICY IN AND THE ROLE OF THE INDEPENDENT ADMINISTRATIVE AUTHORITY CNIL

Alex Türk

The Internet is playing an increasingly important role in Western societies. This phenomenon raises many questions for governments and businesses. This new medium offers endless possibilities: it knows no boundaries and its ability to collect and process data seems limitless. The devel- opment of the Internet has gone through several stages, but unlike other media (radio, television, newspapers), it has always developed through direct input from users. The Dr. Alex Türk is Presi- emergence of social networks has reinforced this trend, dent of the indepen- dent administrative with the desire of a growing number of people to use the authority protecting Internet to share information on their private life or their privacy and personal views. In return, the business model of Internet services is data CNIL (Commis- sion nationale de largely , since the costs of producing and distributing l’informatique et des content is very low, on the one hand, and because most libertés) since 2004. contributors rely on advertising for their financing, on the He is Senator of the Département du Nord other hand. (Nord-Pas-de-Calais).

In addition, the Internet allows easier participation and reinforces the sense of equality and access to information. It also contributes to improved business productivity and knowledge sharing. From this point of view, it consti- tutes a step forward for democratic societies. However, such media can experience abuse: piracy of intellectual property, terrorism and child pornography via the Internet, pose new threats to society. In addition, some economic stakeholders still enjoy some form of immunity because of the importance they have assumed and the discussions on the law applicable to them. 88 KAS INTERNATIONAL REPORTS 5|2011

Article 1 of the Law of 6 January 1978, amended by the Law of 6 August 2004 relating to IT, files, and freedom justifies the action of our Commission in the field ofthe Internet and IT in general. It states that, “IT must be at the service of every citizen. Its development should take place within the framework of international cooperation. It shall not affect human identity, or the rights of man, nor privacy, nor individual or public liberties”.

THE DEBATES CONCERNING THE INTERNET

The debate around the Internet focuses on four main issues: its use for economic development and to deliver services to all, the prevention of abuse and, finally, the liberties and rights of individuals.

Use of the Internet for economic development

The development of the Internet and, in general, infor- mation and communication technology (ICT) is clearly identified as a growth driver in France.1 Public authorities encourage the development of Internet service companies (“start-ups”) and investments in networks, including fibre optic and 3G and 4G mobile networks.2 The international competitiveness of France, especially in hosting sites of large Internet companies, is also a current issue with multiple components (taxes, energy costs, national legis- lation, etc.).

The extension to objects, coupled with In parallel, the European Commission laun- mobile and geolocalisation applications, ched a debate on the “Internet of Things”3, allows several innovative services for users but poses significant risks on cer- in which the CNIL participated. The extension tain freedoms. of the Internet to objects, coupled with mobile and geolocalisation applications, allows several innovative services for users but poses significant risks on certain freedoms, such as the freedom to come and go anonymously, for example.

1 | The current French government also includes a Secretary of State for the Strategic Planning and Development of the Digital Economy, directly under the Prime Minister. 2 | Since 2010, part of the “Big Loan” is devoted to the deploy- ment of fibre optics. See also the work of the ARCEP (Regu- latory Authority for Electronic Communications and Postal Services) on the subject. 3 | Work that resulted in the Communication of the European Commission No. Com (2009) 0278. 5|2011 KAS INTERNATIONAL REPORTS 89

Moreover, the Internet is now an important element of spatial planning policy: some regions rely on an innovative ICT policy to attract businesses and individuals. In a competitive environment among telecom operators, the issue of investment in sparsely populated areas requires government intervention.

In general, the needs for are increasing and, since 2009, the issue of investment financing and the distribution of value added from the Internet have also been advanced. In fact, if telecom operators earn revenue for Internet access, they must respond to growing demands for bandwidth from content publishers4 without being associated with the revenue of these publishers. Moreover, the principle of an open The principle of an open Internet a pri- Internet a priori prohibits content filtering ori prohibits content filtering practices by telecom operators. Major Internet practices by telecom operators. Finally, major companies try to diversify more and Internet companies try to diversify more more to enhance their business. and more to enhance their business model.5 Our Commission has participated in many discussions, launched in 2010, on the topic of the “net neutrality” of public authorities (ARCEP, government).

Use of the Internet to deliver services to all

Besides the economic relevance of making the Internet accessible to all, the government also understands the importance of developing public services accessible on the Internet. It allows for example to reach citizens with limited physical access to public services. The government has thus developed sites for general information (such as www.public.fr-service) and individual services such as taxes (http://impots.gouv.fr)6, or to personally manage the benefits of various social administrations (job centre, Family Allowance, etc.).

4 | E.g. On-line video services such as YouTube. 5 | In particular, services based on advertising seek to collect the fullest possible view of each user to promote their services on the one hand, and complicate the economic situation of com- petitors whose model is not based on personal information because they offer free services, on the other. 6 | In 2010, 10.4 million tax returns were made on-line. 90 KAS INTERNATIONAL REPORTS 5|2011

Prevention of abuse and consideration of other rights

However, the freedoms offered by the Internet (freedom of expression, freedom to provide service from any country in the world, free trade through dematerialisation) compli- cate the protection of other legitimate rights. In France, the defenders of intellectual property focused the discus- sion on the limits to freedom offered by the Internet. In this respect, the Hadopi 27 law adopted in 2009 allows the disconnection of Internet access of users illegally down- loading copyrighted works.8 In 2010, the Parliament also discussed the law of orientation and programming for the performance of homeland security (LOPPSI 2) considering the filtering of child pornography on the Internet.

In terms of protecting privacy, the Finally, in terms of protecting privacy, the emergence of social networks has emergence of social networks, usually Ame- forced the data protection authorities to take action to enforce the European rican, has forced the data protection author- legal framework. ities to take action to enforce the European legal framework. The Group of European CNILs (G29) has issued several opinions on the topic (search engines, social networks) and in France, the CNIL has conducted inspections and relayed complaints from users (including Facebook cons).

In general, questions on the applicability of the French law to foreign sites and issues of defamation on the Internet are regularly asked. In some cases, such as personal data, it is however within the role of the CNIL and the G29 to protect Internet users located in France and , regardless of the location of the site they visit.

Strengthening democracy and freedoms

In Decision No. 2009-580 DC of 10 June 20099, the Consti- tutional Council stated that the right to free communi- cation of thoughts and opinions, as guaranteed by the Bill of Rights of Man and Citizen of 1789, includes the freedom

7 | See Part “Monitoring the Internet” of this article. 8 | Other stakeholders, such as the INA (Institut National de l’Audiovisuel) decided to use other tools, such as digital watermarking, to track usage of content on which they hold rights. 9 | On Law No. 2009-669 of 12 June 2009 to promote the dissemination and protection of creation on the Internet. 5|2011 KAS INTERNATIONAL REPORTS 91 to access the Internet. The Council highlighted the growing importance of the Internet for the communication of ideas and opinions.10

In particular, the Internet allows the archiving of all infor- mation published by the press, allowing the quick retrieval of past data on a subject. However, the systematic archiving of all data questions the possibility of forgetting some facts.

For individuals, the same issue of “right to The CNIL is particularly concerned oblivion” arose and was debated in Parliament about this issue of “right to oblivion” and has conducted numerous actions and in government. Our Commission is to help people better control their data. particularly concerned about this issue and has conducted numerous actions to help people better control their data (social networking, mapping and navigation services, work on the exhibition of the self, etc.).11

Furthermore, the development of computer networks enables the provision of new electronic voting solutions, via the Internet for example. This type of service is likely to improve voter participation in the democratic process but entails many risks, mainly technical, regarding the secrecy of votes.

Finally, the Internet allows the customization of products and offered services by each user. However, the model based on free advertising involves the collection of personal information on individuals; therefore, the conditions of relations between individuals and service providers on the Internet should be examined. In this regard, the CNIL is particularly responsible for ensuring respect for human rights.

THE CHALLENGES OF THE INTERNET FOR INDIVIDUALS

The role of the Internet in society and the methods of its regulation are hotly debated in politics and civil society. This section presents the main issues raised by the Internet

10 | At European level, a similar position was adopted in the context of discussions on the “telecoms package” in 3a of Article 1 of Directive 2002/21/EC as amended, termed the “Framework Directive” (“Amendment 138”). 11 | See pages 93 et sqq. 92 KAS INTERNATIONAL REPORTS 5|2011

as regards the protection of personal rights: the right to oblivion, tracking people, the development of electronic government, the question of monitoring the Internet and, finally, the issue of access to data.

The right to oblivion

With the development of social networks and improved search engines, people are faced with a lack of oblivion on the Internet. All the information published by themselves or others are available to all, particularly through search engines. Moreover, the economic model implies that most free sites look to increase traffic to their pages and thus make increasingly more content accessible12.

In addition, there are certain sites that specialize in archi- ving data published on the Internet, such as www.web. archive.org (mainly for high traffic sites rather than for personal pages), the website of the Library of Congress (which has decided to archive all messages The archiving of data from the Inter- publicly exchanged on the Twitter social net is of increasing interest to recrui- network since 2006) or that of the National ters. A recent study showed that one out of two recruiters uses social net- Library of France dedicated to the Internet works for hiring. since 199613.

The archiving of data from the Internet is of increasing interest to recruiters: a recent study showed that one out of two recruiters uses social networks for hiring.14 In France, an association of recruiters15 issued a charter on this subject but there is no legislation more specific than the Data Protection Law.

For the user, controlling the information published on the Internet is extremely difficult. Indeed, data related to a user can come from many different sources:

12 | For example, the site pagesjaunes.fr did not, until 2010, allow the indexing of its information (addresses and num- bers) by search engines. In 2010, the trade directory allowed part of its information to appear in engines to achieve a better listing in results and generate more traffic. 13 | Title IV of Law No. 2006-961 of 1 August 2006 on Copyright and Related Rights in the Information Society. 14 | Enquête sur les réseaux sociaux et le recrutement, les résultats, http://moderateur.blog.regionsjob.com/index.php/ post/Enquête-sur-les-réseaux-sociaux-et-le-recrutement,- les-résultats (accessed May 3, 2011). 15 | http://www.acompetenceegale.com (accessed May 3, 2011). 5|2011 KAS INTERNATIONAL REPORTS 93

▪▪some data are provided voluntarily by the user but can be revealed through a security hole or when the site changes its terms of use, as Facebook did in 2009; ▪▪data, such as connection information (IP address, search terms, etc.) are collected automatically, sometimes without the knowledge of the user; ▪▪data can be supplied by others, as for example through Facebook’s “tag” function, which allows the identification of people in photographs.

In addition, a person may wish to keep certain Today, the Internet usually implies a information on-line, but refuse to have them merger, or even a fusion, of personal, family and work life. In addition, social linked. Today, the Internet usually implies a networks offer communication capabi- merger, or even a fusion, of personal, family lities and invite users to use their real names. and work life. In addition, social networks offer communication capabilities and invite users to use their real names. Thus, these are all the aspects of life (youth, personal activities, career, photos, statements, communications) that the individual must be able to manage on the Internet, without being able to count on an automatic oblivion of this information16.

The issue of the right to oblivion was raised in France, during the Senate debate on a proposal to better ensure privacy rights in the digital age (Détraigne-Escoffier Proposal17) and is currently the subject of discussions within the government, for the development of a charter, which must be submitted for review to the CNIL.

Our Commission believes that users must be aware of the risks they take when they publish information on the Internet. To this end, the Commission supports actions that raise user awareness, such as the websites www. internetsanscrainte.fr or www.2025exmachina.net for young people. In addition, the G29 recommended that websites, and social networks in particular, adopt settings that by default protect privacy and personal information in any publication of personal information that results

16 | That is why the concept of limitation, either civil (thirty-year prescription) or criminal (the prescription varies by type of offence: violation, misdeed or crime), exists in French law. 17 | “Droit à la vie privée. Proposition de loi visant à mieux garantir le droit à la vie privée à l'heure du numérique,” http://senat.fr/ dossier-legislatif/ppl09-093.html (accessed May 3, 2011). 94 KAS INTERNATIONAL REPORTS 5|2011

from a voluntary approach of the person concerned18. The Commission further desires that people can exercise a real right to object and have the ability to have their infor- mation permanently deleted, at their request.

Tracing individuals

The other major threat to individual privacy is the devel- opment of technologies that allow their tracing, on-line and in the physical world. Indeed, in a model based on adver- tising, the effectiveness of ads is proportional to their level of customization. The search for personalized advertising is desirable for advertisers, but also potentially for those who may prefer to see ads for products that match their interests.

On the Internet, the operation of websites allows the justifiable collection of a wealth of information about users and the drawing of conclusions about their interests. The data collected today include the history of The data collected include the history visited sites, the user’s “clicks”, the keywords of visited sites, the user’s “clicks”, the entered in a search engine and even mouse search keywords entered and even mouse movements on screen. movements on screen. Profiles thus formed are not necessarily associated with the real name of a person, but the goal of targeted advertising companies is to single out each user.19 In some cases, such as Facebook, this information – used to target advertise- ments – is provided by the user (age, points of interest, discussion with other members, joining of interest groups, etc.).

The competitive landscape of on-line advertising is now very narrow and thus all major stakeholders – some of them providing other services (webmail, search engine, etc.) – gather as much information possible about users, to refine their knowledge of them. But the conservation period of data collected and their recipients are not precisely defined. Again, lack of user control on the use of personal

18 | Cf. Opinion 5/2009 on social networks: http://ec.europa.eu/ justice_home/fsj/privacy/docs/wpdocs/2009/wp163_fr.pdf (accessed May 3, 2011). Cf. also Opinion No. 1/2008 on data protection issues relating to search engines. 19 | Moreover, in some cases, the users whose navigation data are collected are registered under their name with the advertising service (e.g. Google). 5|2011 KAS INTERNATIONAL REPORTS 95 data poses a problem. In June 2010, the G29 adopted an opinion of behavioural advertising to clarify good practices for implementation.20

The revision of the Directive on Privacy and Electronic Communications21 proposes to enhance this control by providing that the use of monitoring means installed on the user’s station22 shall be conditioned on the prior consent of the owner of the station as well as on infor- mation on the purpose of collection and the controller. This provision, contained in Article 5 (3) of Directive 2002/58/ EC as amended, must be transposed into French law by May 2011.

Moreover, in the physical world, the development of mobile Internet and geolocalisation features reinforce the potential for invasion of privacy, including the freedom to come and go. Some services, Several advertising companies collect like Google Latitude, can potentially track location data to target advertising to users. Most people are not informed of all physical movement. In addition, several this collection. advertising companies (like Google or Apple iad) collect location data to target advertising to users. These companies offer users, at best, an option to unsub- scribe (opt-out), while most people are not informed of this collection. Other applications, such as Foursquare, are based on geolocation and allow the physical tracking of a person.23 The site www.pleaserobme.com shows that a third party can tell if someone is at home, on the basis of information published on social networks.

On these issues, our Commission obviously supports the implementation of the European data protection framework (requirement to supply information, prior consent of the user, access and suppression rights, security of ­applications to avoid data loss or leakage).

20 | Opinion No. 2/2010 on behavioural advertising on-line, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/ 2010/wp171_en.pdf (accessed May 6, 2011). 21 | Directive 2002/58/EC, http://eur-lex.europa.eu/LexUriServ/ LexUriServ.do?uri=CONSLEG:2002L0058:20091219:EN:PDF (accessed May 3, 2011). 22 | Specifically, cookies and javascript, in general. 23 | Although these companies ensure that they generally restrict access to location data, their security is not assured. In the case of Foursquare, on June 20, 2010, a hacker announced to have recovered 875,000 location information of users in San Francisco through a security breach. 96 KAS INTERNATIONAL REPORTS 5|2011

The development of e-government

In the public sector, increasingly more local and national governments are developing on-line domains, to deliver on-line services to citizens. On-line services facilitate access to the government because they are The establishment of on-line services often faster, available 24/7 and offer more allows the government to better under- options, for example in the exercise of the stand the needs of users and makes it easier to follow public activity. rights of individuals. In addition, on-line services allow a less costly processing of records. The establishment of on-line services also allows the government to better understand the needs of users and makes it easier to follow public activity, through the definition of indicators based on-line services.

However, these services often collect sensitive information (income, family structure, disability, information about minors, etc.) and use the real names of people, or the NIR24. Therefore, there is a risk that the information is cross-checked between different processing procedures. Our Commission was created in response to a government project to create a central record on all French nationals (project Safari) and therefore gives particular attention to the establishment of on-line services25 and files intercon- nections26. It also ensures that the safety of processing is ensured through technical measures and the accurate identification of people with access to information.

While most processing procedures implemented by the state are not available on-line, the Internet is undeniably becoming the standard interface for exchanges between citizens and the government. The establishment of centralized portals like www.mon.service-public.fr that allow access to multiple services should not lead to the interconnection of files, which could undermine respect for the privacy of individuals. Our Commission has ensured that this portal is constructed in a manner that protects privacy, including the establishment of a federation of identities.

24 | NIR: Natural Persons Identification Number, a unique number assigned to each French at birth. 25 | The establishment of on-line services by the government is subject to review by the CNIL (point 4 of II of Article 27 of the Data Protection Law). 26 | In general, the CNIL has no objection to the interconnections of files if they facilitate procedures for users. 5|2011 KAS INTERNATIONAL REPORTS 97

The government wants to strengthen the development of on-line services in the future. To this end, on 1 February 2010, the State Secretariat for Digital Economy launched the IDéNum mark27, which aims to provide increased relia- bility to authentication devices. A prototype will be launched by the end of 201028. The government wants to strengthen Through its expertise, the CNIL is required the development of on-line services in the future. The CNIL is required to en- to rule on these projects to ensure they are sure they are always conducted with always conducted with respect to individual respect to individual liberties. liberties.

MONITORING THE INTERNET

Monitoring communications

To exercise its sovereign functions, the state also needs access to communications on the Internet. The legislative framework has been enriched in recent years to define and regulate the information to which the state may have access.

First, Directive 2006/24/EC on data retention set the European legal framework for the conservation of connection data and defines, in Article 5, the data that operators of electronic communications services must keep. This Directive concerns telephony, Internet access and email. It has been transposed into French law by Law No. 2006-64 on the fight against terrorism29. The data collected are kept for one year from the date of regis- tration. The CNIL also participates in the Expert Group of the European Commission on data retention. Beyond these provisions, the Data Protection Law applies to any collection of data relating to electronic communications.

Moreover, the status of electronic communications opera- tors and hosting providers vis-à-vis trade on the Internet has been clarified by the Law on confidence in the digital

27 | Cf. Ministère de l’Économie, des Finances et de l’Industrie, “Le Label IDéNum, l’identité numérique multi-services,” Febru- ary 1, 2010, http://telecom.gouv.fr/actualites/1-fevrier-2010- label-idenum-identite-numerique-multi-services-2311.html (accessed May 3, 2011). 28 | Other projects, such as electronic identity cards, may also provide a unique means of identity management on-line. 29 | Articles L.34 and L.34-1-1-1 and articles R.10-12 et sqq. of the Post and Electronic Communications Code. 98 KAS INTERNATIONAL REPORTS 5|2011

economy adopted in 2004.30 This law provides that such persons “are not subject to a general obligation to monitor the information they transmit or store, nor a general obligation to seek facts or circumstances indicating illegal activity.”

However, as part of the review of the law LOPPSI 2, the government proposed provisions to filter some illegal content on the Internet. The objective is to fight against child pornography. This project has raised concerns among civil society, where some saw it as a first step toward accepting the idea of Internet filtering (beyond the fight against child pornography). The bill is currently pending in the Senate. It should be noted that filtering would be considered a general blocking of certain websites, without any special processing of particular people and therefore, a priori, without processing of personal data.

The protection of artistic works

On the other hand, France has strengthened its legal arsenal to fight against the piracy of works protected under intellectual property. After a first law in 2006 (DADVSI), in 2010, the Parliament adopted two laws, known as “Hadopi”31, which created the High Authority France has strengthened its legal arse- for the dissemination of works and the nal to fight against the piracy of works protection of rights on the Internet (HADOPI) protected under intellectual property. After two warnings, the user’s Inter- and implemented the “three strikes rule”, a net access can be cut off by court. mechanism by which a surfer offender is warned twice by email and letter. After two warnings and in case of a subsequent offence, the user’s Internet access can be cut off by court.32

Thus, the Hadopi draws on observations made by groups of rights holders. These examine the exchange of illegal files on the Internet to identify offenders. Our Commission

30 | Law No. 2004-575 of 21 June 2004 on Confidence in the Digital Economy. 31 | Law No. 2009-669 of 12 June 2009, promoting the dissemi- nation and protection of creation on the Internet and Law No. 2009-1311 of 28 October 2009 on the protection under criminal law of literary and artistic property on the Internet. 32 | The establishment of the Hadopi and the collection of IP addresses of Internet users has sparked heated debate within French society, particularly with regard to risks entailed in monitoring the activity of people on the Internet. 5|2011 KAS INTERNATIONAL REPORTS 99 has authorized the collection of the personal information necessary to establish these findings33, provided that the collection was not extensive: only the coordinates of Internet users sharing works included in a limited catalogue were collected. The Hadopi scheduled to send the first e-mail warning in September 2010.

The issue of access to data

The last crucial issue concerning the Internet in France relates to the identification and access to data stored on the Internet. In fact, most major groups on the Internet are U.S. companies, which store information in data centres in the United States. This poses problems in terms of the legal liability of these companies, as they usually refer to U.S. law. In particular, as regards personal data, users of on-line services may have difficulty enforcing the European legislation, including the right of The United States are not among the access, prior consent or conservation periods. states that ensure adequate protection of privacy and the transfer of personal The United States are not among the states data to countries that are subject to that ensure adequate protection of privacy authorization by the CNIL. and the transfer of personal data to countries that are subject to authorization by the CNIL. However, the United States have implemented the “Safe Harbor”, managed by the FTC34, which allows a U.S. company to declare its compliance with European principles on data protection. This provision offers certain guarantees but is not equivalent to the existence of a CNIL-type authority. However, with the creation of the GPEN (Global Privacy Enforcement Network), the CNIL of European and other countries and the FTC recently strengthened international cooperation.

Moreover, the location of data in a third state raises the question of access by authorities of this state to data. For example, the Patriot Act allows U.S. authorities to access any database on U.S. territory.

In the future, more and more computer services will be offered via the Internet and the “computing cloud” will aim to replace the use of locally installed software. These services offer many advantages for businesses, particularly

33 | Specifically, the IP address of the user’s station. 34 | Federal Trade Commission. 100 KAS INTERNATIONAL REPORTS 5|2011

in terms of flexibility and cost. However, in this case, the physical location of data is not always clear35. To control the risks of Internet use, it seems important for users to have new tools to monitor the use made of their data.

CONCLUSION

In conclusion, the Internet policy in France is broken down into many problems that can be grouped into three main categories. Firstly, the question of the economic model gave rise to important debates on the financing of the Internet and how to maintain “free” access to content (at what cost to personal data?). Furthermore, the compe­ titive landscape of the Internet, largely dominated by U.S. companies, raises problems of legal liability, particularly vis-à-vis the European framework for the protection of personal data. Finally, the specific action of the State, whether for promoting its own on-line services or for the establishment of more or less developed mechanisms for monitoring the Internet, must be conducted with respect for the privacy of individuals. On all these issues, our Commission is leading the effort for the development of the Internet with respect for the rights and freedoms of individuals.

Although part of these debates are specifically French, some of them – such as the creation of a framework for the protection of personal data or the issue of net neutrality – should be addressed at EU and international level.

35 | Google, for example, has many data centres and does not inform clients in which their data is housed.